Recommended Posts

I have a question about this. While uTorrent 3.0 will not bind to an interface, 'the net.bind_ip' and 'net.outgoing_ip' settings will accept '10.4.0.0/16' as specified input. With these settings, uTorrent connects normally. With the VPN disconnected, uTorrent fails to find any trackers or make incoming connections. This seems to be the desired behavior. Where is the flaw in this plan? Thanks!

I use uTorrent 2.2.1. My experience with later releases is very problematic. And many private trackers do not allow uTorrent releases later than 2.2.1. I am pretty sure that I tried this with 2.2.1 and it did not work.

If you say it works for later releases, I will have to take your word for it.

Did you use Processor Explorer to check what interface is being used?

And did you have the VPN "suspended"? That is, real/original gateway back in place while doing this? So it was not just falling back to the VPN as default gateway?

You're correct--I did not have the native gateway suspended. Thanks again.

Share this post

Link to post

What are the caveats If I follow the guide to the letter but don't modify the utorrent options (i.e. not changing the net.bound_ip etc.).

The firewall will make sure that only the VPN interface is used for torrenting and I will be able to use the default interface for everything else. The firewall will also block utorrent from using the default interface and disallow incoming connections going through the same in case the VPN connection is broken.

...

Is there any potential problems that I can not see with this setup?, or do i have to have the utorrent modifications done for 100% safety?

...

If you don't modify the uTorrent parameters, then when the default gateway is in place, uTorrent will try to use that for outgoing traffic, and be blocked by the firewall.

It would probably be enough to modify only the "net.outgoing_ip" parameter, since uTorrent will be listening for incoming connections from any interface.

===

If you really want to avoid reconfiguring uTorrent when you change servers, you could try using using ForceBindIP:

It does seem to work (almost, see below) for 32-bit applications running on 64-bit systems, except that the file BindIP.dll needs to go in C:\Windows\SysWOW64, rather than C:\Windows\System32.

I said ForceBindIP "almost" works because I was not able to get it to pass a parameter to uTorrent. I use the "/recover" parameter to uTorrent.

ForceBindIP also worked with Deluge, except again, I could not get a parameter passed through.

To be clear, for the purpose here you would need to note this blurb from the ForceBindIP site:

"To find out the GUID of your interface, run regedit and browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces. Find the interface which has the dynamic address and then copy the key name."

===

My solution to having to reconfigure uTorrent was to modify the OpenVPN client so that I can override the IP address used on the interface:

Please note that ForceBindIP had a point iteration on 12/12/2015. There is now a 64-bit version, the .dll no longer needs to reside in the system directory, and the /recovery parameter was passed to the executable in the injected instances in my tests on uTorrent 3.0 64. I have not closely examined the network traffic of the two instances but I was definitely able to launch two distinct instances of uTorrent 3.0 64 by using the command---

---for the second instance, having launched the first instance directly. Without the -i switch, uTorrent would grab a random port and fail to resolve. If I launched uTorrent directly, specified a port, terminated, and launched a new ForceBindIP instance without the -i switch, uTorrent would grab a random port, but a normally launched instance would use the port of the prior instance. Only with the -i switch could I successfully specify a port for abound instance. I wonder if some network activity might leak when the executable is launched but before the interface restriction is imposed, but I am not sure how to detect this or why it would override and overwrite the port specification.

I am making a major tweak to a very unsupervised system. It has to be as automatic as possible because kids just can't resist power buttons and I have more important things to do than police a multi-use desktop/gamer/server for good torrenting behavior. If and when I get to where I want to be, I will post all the specific information I can to improve the security situation of everybody.

Share this post

Link to post

Thank you very much for the guide, excellent! Got everything working and has been for many months. I find I've got a bit of a problem that is related enough I'd like to ask it here and see if anyone can help with the configuration.

I use one browser program for everything else, and one for "project x". I'd like to limit one browser program, let's say firefox to 'project x' and run that through the vpn only. Then use another browser, like opera etc. for everything else outside the tunnel.

Is that possible, and if so how?

I've tried blocking firefox the same as utorrent on the 192.168.0.0/16 range but then with the "suspend" modified route table it cant find sites.

Any help greatly appreciated from this sadly-non-technical ex-tech-from-back-when...

Share this post

Link to post

I use one browser program for everything else, and one for "project x". I'd like to limit one browser program, let's say firefox to 'project x' and run that through the vpn only. Then use another browser, like opera etc. for everything else outside the tunnel.

Is that possible, and if so how?

I've tried blocking firefox the same as utorrent on the 192.168.0.0/16 range but then with the "suspend" modified route table it cant find sites.

If it does work, it will only send non-DNS traffic over the VPN. And this may not be good enough to be able to use AirVPN's "micro-routing" for getting around geo-blocking. You could try using AirVPN's DNS servers for both VPN and non-VPN traffic. I would guess that non-VPN traffic will work OK with that See this earlier post:

Or you could just use AirVPN's client and let it set the DNS to their DNS for you. It is possible to use Eddie with this configuration. And at this point I am actually doing that. Let it pick a good server. And I don't have to download the .ovpn files so often.

Share this post

Link to post

Fantastic guide. I learned a lot from reading it too. 3 question though.

1. Why when you run the suspend VPN gateway .bat file does your torrent client (deluge for me) no longer show you as being connectable even though incoming connections are taking place?

When I use uTorrent or Deluge, they both show me that they are connectable. uTorrent shows the green icon. Deluge does NOT show me the "no incoming connections" icon. I don't know why you see something else. The important thing is that Process Explorer shows you receiving incoming connections.

2. I had to omit the incoming rules for the torrent client because when I used "10.4.0.0/16" I was unable to receive incoming connections with the VPN gateway being suspended. Should that be the case?

You must have made some sort of mistake. With Windows firewall in its default state, it will block incoming connections if you do not have the firewall rule for incoming connections. The firewall rule that I have you add is to allow connections, not block them. It is only the outgoing firewall rule that is to block connections.

3. Is it necessary to use the Open VPN client as opposed to the AirVPN client in order for this to work?

No. You can use the Eddie client. I say so in a few posts above, including the one just before your post. I use it for my AirVPN connections myself now.

Share this post

Link to post

In the sample scren shot you wil see that the VPN address "10.4.50.142" goes with the interface "eth5[0]". So I have copied and pasted that into the tekst box instead.

When I type in "eth5[0]" in the box and save, then I get an error in Vuze. The routing icon turns red and it says "Missing: eth5[0]. When I put in my VPN address, the it works, but I don't want to hav to change anything manually when a server change occurs. Could anyone tell me what Im doing wrong (or forgetting) and even beter tell me what I should do? Thanks a lot.

Share this post

Link to post

UPDATE: In a later post I provide a simpler IPv6-compatible example of how to use SQUD.

Squid is an HTML proxy. And it is available as a package for Cygwin, which is "a large collection of GNU and Open Source tools which provide functionality similar to a Linux distribution on Windows". This post explains how it can be used to be able to browse over the VPN (even using AirVPN's DNS) in one browser instance, while leaving the default gateway as the native/real gateway and also browsing (or whatever) over that simultaneously. It is also possible to use several web rippers through it - get_iplayer, youtube-dl and AdobeHDS.

To make the installation and set up easier, I put together some scripts that make it fairly easy (I believe). These are in the following attached zip file:

Note that although the zip file has NOT been updated, below some additional configuration lines have been added which you may want to add.

To have squid stop in 1 second rather than the default 30 seconds:

shutdown_lifetime 1 seconds

If you have IPv6, disable an IPv6 leak on ipleak.net:

dns_v4_first on
tcp_outgoing_address ::1
dns_nameservers ::1

END of UPDATE

This post explains how to use these scripts. You can of course change the various scripts in this folder as you see fit. In fact, you definitely will need to inspect them to understand what is going on here. And follow some of the web links. The instructions are very brief.

Now that we have the installer, install the necessary Cygwin packages to run squid by running cygwin_install.bat.

The Cygwin installation will go in C:\cygwin_squid, unless you change the script, or pick a different destination. Note that C:\cygwin_squid appears in several other scripts.

Just keep pressing the "Next" button. Except that you will have to select a mirror site. University sites are usually good.

Now start the OpenVPN tunnel.

This step relies on there being a "128.0.0.0/128.0.0.0" routing table entry, which OpenVPN will install if left to its default behaviour ("redirect-gateway def1"). With the OpenVPN tunnel running, run squid_setup_VPN.bat to create the squid configuration file squid.conf, (in the same folder). Lines similar to these will be put in front of the standard Cygwin squid configuration file:

In order to determine the values to be used for tcp_outgoing_address and dns_nameservers, squid_setup_VPN.bat scans the output of "route print" for the "128.0.0.0/128.0.0.0" routing table entry. If there is a problem with this, you will have to specify values for tcp_outgoing_address and dns_nameservers in squid.conf yourself (or fix squid_setup_VPN.bat yourself).

To start squid run squid_start.bat. There will be no minimized window or anything. You will just have squid running in the background.

To see the status of squid run squid_status.bat. This just shows all running Cygwin processes. Just look for "squid" in the output.

To stop squid run squid_stop.bat. It may take several seconds for suid to stop, even when you try to shut down Windows. I suggest that you stop it first. You can keep running squid_status.bat in order to be sure it is gone.

You can create shortcuts to squid_setup_VPN.bat, squid_start.bat, squid_status.bat and squid_stop.bat by running squid_shortcuts_setup.bat. These shortcuts can then be moved or copied somewhere more convenient.

You will need to set up your browser to use the squid HTML proxy now available at 127.0.0.1:3128.

For Firefox you can do this using the "Open menu" icon in the upper right corner. Select "Options" there and then "Advanced/Network/Connection/Settings". In that property page select "Manual proxy configuration" and "Use this proxy server for all protocols". And fill in "localhost" for "HTTP Proxy" with "3128" for "Port".

If you want to be able to browse through the VPN at the same time as you browse normally, again with Firefox, you can set up a separate profile just for browsing through squid.

If you have installed Firefox in the default location, you should be able to launch the Firefox profile manager by running firefox_profile_manager.bat. Or create a shortcut with a command line as in that file.

If you create a profile called "squid_VPN_tester" you can launch Firefox with the "squid_VPN_tester" profile using firefox_with_squid_VPN_tester_profile.bat. Or create a shortcut with a command line as in that file.

As a quick and dirty way to set up a profile named "squid_VPN_tester" with its profile folder as "profile_squid_VPN_tester" within the current you can run "firefox_create_profile.bat". Remember to remove it later with the Profile Manager.

@rem Download setup-x86.exe or setup-x86_64.exe (not both) from https://cygwin.com/install.html.
@rem Then copy this file to the same folder and run.
@rem This will install to C:\cygwin_openvpn_build (see below), unless you change it. If you
@rem change it here, change it in cygwin_here.bat too.
@if not exist setup-x86.exe (
@if not exist setup-x86_64.exe (
@echo neither setup-x86.exe nor setup-x86_64.exe is presnt
@echo download one of them to this folder from https://cygwin.com/install.html
@echo or use cygwin_installer_download.bat to download setup-x86.exe
@pause
@exit
)
)
@for %%f in (setup-x86*.exe) do @set p=%%f
%p% -help
@pause

Share this post

Link to post

I followed that tutorial a year or two ago cuz I wanted to start using a VPN for torrenting. I'm now switching to a MacBook Pro and I cant seem to find that same tutorial for mac ? Is anyone here able to help me ? The fact is I found this tutorial for Windows amazing because it actually explains everything (i'm not that good in IT and everything tbh haha) so I really wanted to do no mistake and be able to use AirVPN on my mac for torrenting.

Thank you very much for your help guys !

PS : If I can't use it only for torrenting on my mac but have to use it for everything internet related, it doesn't bother me then. Just need to find the right tutorial to follow because I saw many but couldn't find the one to help me (or I'm just too bad and need someone to tell me "it's this tutorial you wanna follow".

Share this post

Link to post

Just to know as i don't understand a lot about this, there are rules missing for ipv6, right?

...

Yes, IPv6 is not addressed. That guide was first written some years ago, on another forum.

You should be able to add a rule to block the torrent client from using your IPv6 interface, just as you did for your IPv4 interface.

Also, use process explorer to see whether there are in fact connections. What uTorent shows can be delayed/deceptive. With process explorer you should see connections stop immediately when the VPN drops.

I am afraid I do not have this set up running on my PC any more. So I cannot easily replicate what you may be doing.

Share this post

Link to post

Just to know as i don't understand a lot about this, there are rules missing for ipv6, right?

...

Yes, IPv6 is not addressed. That guide was first written some years ago, on another forum.

You should be able to add a rule to block the torrent client from using your IPv6 interface, just as you did for your IPv4 interface.

Also, use process explorer to see whether there are in fact connections. What uTorent shows can be delayed/deceptive. With process explorer you should see connections stop immediately when the VPN drops.

I am afraid I do not have this set up running on my PC any more. So I cannot easily replicate what you may be doing.

Thanks NaDre, but despite the ipv6 issue do you know why I'm seeing connections leaks on native interface when vpn is down (and ipv6 disabled), as shown here in process explorer?

As I show before it only happen when vpn is down, when vpn is enabled everything seems to go though VPN. Don't know if there are any configuration missing besides firewall rules and utorrent bind ips.

Share this post

Link to post

Thanks NaDre, but despite the ipv6 issue do you know why I'm seeing connections leaks on native interface when vpn is down (and ipv6 disabled), as shown here in process explorer?

As I show before it only happen when vpn is down, when vpn is enabled everything seems to go though VPN. Don't know if there are any configuration missing besides firewall rules and utorrent bind ips.

Thanks in advance!

Sorry. I was lazy before. You did use process explorer.

Are you certain that the outbound block is on the same physical executable as is show in the "image" tab in process explorer? I believe that I did try this stuff with Windows 10, and it still worked. So unless a Windows update has broken Windows Firewall, if you block the correct executable, it should work.

Failing that, try using ForceBindIP to prevent uTorrent from reverting to the native interface. Now that I think of it, I corresponded with someone in a forum at a private tracker who had a similar issue, and found that ForceBindIP helped.

Share this post

Link to post

Thanks NaDre, but despite the ipv6 issue do you know why I'm seeing connections leaks on native interface when vpn is down (and ipv6 disabled), as shown here in process explorer?

As I show before it only happen when vpn is down, when vpn is enabled everything seems to go though VPN. Don't know if there are any configuration missing besides firewall rules and utorrent bind ips.

Thanks in advance!

Sorry. I was lazy before. You did use process explorer.

Are you certain that the outbound block is on the same physical executable as is show in the "image" tab in process explorer? I believe that I did try this stuff with Windows 10, and it still worked. So unless a Windows update has broken Windows Firewall, if you block the correct executable, it should work.

Failing that, try using ForceBindIP to prevent uTorrent from reverting to the native interface. Now that I think of it, I corresponded with someone in a forum at a private tracker who had a similar issue, and found that ForceBindIP helped.

Hi no problem

Yes, it's the same executable. Maybe my windows is missing any kind of firewall update? Is strange, I'm using a windows server 2008 R2.

Share this post

Link to post

Thanks NaDre, but despite the ipv6 issue do you know why I'm seeing connections leaks on native interface when vpn is down (and ipv6 disabled), as shown here in process explorer?

As I show before it only happen when vpn is down, when vpn is enabled everything seems to go though VPN. Don't know if there are any configuration missing besides firewall rules and utorrent bind ips.

Thanks in advance!

Sorry. I was lazy before. You did use process explorer.

Are you certain that the outbound block is on the same physical executable as is show in the "image" tab in process explorer? I believe that I did try this stuff with Windows 10, and it still worked. So unless a Windows update has broken Windows Firewall, if you block the correct executable, it should work.

Failing that, try using ForceBindIP to prevent uTorrent from reverting to the native interface. Now that I think of it, I corresponded with someone in a forum at a private tracker who had a similar issue, and found that ForceBindIP helped.

Hi mate,

Unfortunately i tried with ForceBindIP and got the same issue, when vpn goes down, connections start going through the 192.168.1.X interface.

Besides, when connecting again but to a different server, it continue going through the 192.168.1.X, so it seems that ForceBindIP doesn't make utorrent respect the network GUID.

This is how I lunch ForceBindIP

ForceBindIP.exe {C464A1E4-E52A-2201-CFA4-464AB1768AB3} utorrent.exe

Where {C464A1E4-E52A-2201-CFA4-464DC0768AE4} is the GUID of the network adapter attached to airvpn. I also tried the -i switch with ForceBindIP without luck.

Do you have another tip or recommendation to follow that you can remember?

Share this post

Link to post

What a stupid, i discover what was happening. I was using an environment variable to point to the executable file in the Windows Firewall, and it seems it was not expanded so the rule wasn't applying properly, and when the vpn was down it was going through the 192.168.1.X interface.

What I do see is that ForceBindIP doesn't seem to do the work to avoid changing the utorrent ips using the GUID adapter instead of the IP. If i left the net.outgoing_ip and net.bind_ip empty and I stop the VPN and reconnect to another server, utorrent doesn't reconnect anymore until i restart it again. It seems ForceBindIP is not making the IP switch when using the GUID adapter.

Share this post

Link to post

What a stupid, i discover what was happening. I was using an environment variable to point to the executable file in the Windows Firewall, and it seems it was not expanded so the rule wasn't applying properly, and when the vpn was down it was going through the 192.168.1.X interface.

It had top be something like that. Hard to believe that Windows Firewall would not be working on your Windows release.

What I do see is that ForceBindIP doesn't seem to do the work to avoid changing the utorrent ips using the GUID adapter instead of the IP. If i left the net.outgoing_ip and net.bind_ip empty and I stop the VPN and reconnect to another server, utorrent doesn't reconnect anymore until i restart it again. It seems ForceBindIP is not making the IP switch when using the GUID adapter.

Any clues on this?

I have not used ForceBindIP all that much. But when I have tried it, it works within its acknowledged limitations (does not get inherited by sub-processes). And it certainly worked for uTorrent 2.2.1. And others have posted here about having success.

Try it using the actual IP address rather than the string identifying the interface from the registry. If that works, you must have gotten the string from the registry wrong?

Edit: I would actually be ok with having to launch all four programs (Deluge, qBittorrent, Tixati and Firefox) through ForceBindIP if that would make things easier. Basically a configuration where the VPN is active, the three torrent clients are blocked by the firewall, but if I launch them through ForceBindIP they go through the VPN. Would that be easier/possible?

By reading Part 2 of the guide (you can use Eddie if you want, without network lock) and also looking through the rest of the posts in the thread (mine especially) for information about binding clients/ForceBindIP, yes. This is the whole point of this thread.

Windows 10 is not mentioned. The guide was written a few years ago (in fact a couple or three years before it appeared in this thread). But the techniques all still work in Windows 10. At its core, Windows has not really changed much.